"net rpc group addmem/delmem" ignores the "managedBy" group attribute.
Typically, the AD ACL group has the following attributes:
cn
description
distinguishedName
dSCorePropagationData
gidNumber
groupType
info
instanceType
managedBy
member
name
objectCategory
objectClass
objectGUID
objectSid
sAMAccountName
sAMAccountType
uSNChanged
uSNCreated
whenChanged
whenCreated
The “managedBy“ attribute refers to another ACL group that can manage this group (i.e. add/remove users). It looks like "net rpc group addmem/delmem" only makes an LDAP modify request to the AD, so unless you have LDAP write access (e.g. Domain Admin) you won’t be able to modify the group. In other words, it ignores the special “managedBy” attribute.
Thanks,
-- Abraham